Query-based Distribution Groups and Disabled Users

by Bharat Suneja

Another issue with Query-based Distribution Groups – when admins create these, typically using a GUI – there’s no obivious way of excluding disabled user accounts. Even if you enter the ldap filter manually using Custom Search, it’s easy to forget about excluding disabled users.

End result: users sending mail to QBDGs complain about getting NDRs from disabled users.

To prevent this, you need to change the ldap filter of the QBDG and insert a bit-wise filter (MS KBA 269181) for the userAccountControl attribute, which indicates, amongst other things, whether a user account is enabled or disabled. Here’s how you do it.

If you used Custom Search to manually enter the ldap filter when creating the QBDG:
1. Start AD Users & Computers console, locate the group | Properties | click Customize | go to the Advanced tab.
2. insert this in your filter:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

So if your earlier filter looked something like:

(&(objectClass=user)(homeMDB=*)(department=Finance))

The modified filter looks like this:

(&(objectClass=user)(homeMDB=*)(department=Finance)
(!userAccountControl:1.2.840.113556.1.4.803:=2))

If you used the GUI to create the filter, you will need to make this change using ADSIEdit.
1. Start ADSIEdit and locate the QBDG | Properties
2. Modify the msExchDynamicDLFilter attribute as shown in the above example.

{ 4 comments… read them below or add one }

- Matt December 7, 2007 at 1:52 pm

Seen this article: http://technet.microsoft.com/en-us/library/aa996205.aspx

Where they used this: (msExchUserAccountControl=2) to exclude disabled users as well. It also works.

Anyone understand what the difference is?

Thanks. – Matt

Reply

Bharat Suneja August 5, 2008 at 1:53 pm

@Matt,

UserAccountControl is an AD attribute which provides a lot of information (that is, can have many values such as account disabled, locked out, password not required..). It’s a bitmask, so the weird-looking format More details about UserAccountControl.

msExchUserAccountControl is a simpler attribute used by Exchange to determine whether to use the objectSID (if account enabled) or the msExchMasterAccountSID (when account is disabled). It has only 2 values:
0 = enabled
2 = disabled

More info in KB 296479: XADM: Requirements for Disabling the Recipient Update Service

Reply

Mark August 12, 2009 at 11:11 am

This does not work for Exchange 2003. You cannot directly modify the filter that I can tell. Only select fields from pull down.

Reply

Bharat Suneja August 12, 2009 at 11:16 am

@Mark: As noted in the post, if you used Custom Search to manually type the filter, you can edit it. If you used the GUI and selected fields from the drop-down, you'll have to use ADSIEdit to edit the filter.

Sorry, don't have a box with Exchange 2003 around to provide more details.

Reply

Leave a Comment

Previous post:

Next post: